在索赔中从 Azure AD 获取职务、部门和经理 ID

问题描述 投票:0回答:2

我正在将 Azure AD 应用程序与 Azure B2c 结合使用。根据 Microsoft 官方文档,我们可以使用 Azure AD 策略获得额外的索赔。 https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping

我设法使用这种方法获取 JobTitle,但是,部门和手机字段始终为空。下面是我用来创建 AD 声明映射策略的 PowerShell 脚本。

$claimsMappingPolicy = [ordered]@{
    "ClaimsMappingPolicy" = [ordered]@{
        "Version" = 1
        "IncludeBasicClaimSet" = $true
        "ClaimsSchema" = @(
            [ordered]@{
                "Source" = "user"
                "ID" = "JobTitle"
                "JwtClaimType" = "JobTitle"
            },
             [ordered]@{
                "Source" = "user"
                "ID" = "Department"
                "JwtClaimType" = "Department"
            },
             [ordered]@{
                "Source" = "user"
                "ID" = "MobilePhone"
                "JwtClaimType" = "MobilePhone"
            }
        )
    }
}


$appID = "Azure AD App ID" 
$policyName = "ClaimsMappingPolicy"

$sp = Get-AzureADServicePrincipal -Filter "servicePrincipalNames/any(n: n eq '$appID')"
 
$existingPolicies = Get-AzureADServicePrincipalPolicy -Id $sp.ObjectId `
                    | Where-Object { $_.Type -eq "ClaimsMappingPolicy" }
if ($existingPolicies) {
    $existingPolicies | Remove-AzureADPolicy
}
 
$policyDefinition = $claimsMappingPolicy | ConvertTo-Json -Depth 99 -Compress
$policy = New-AzureADPolicy -Type "ClaimsMappingPolicy" -DisplayName $policyName -Definition $policyDefinition
 
Add-AzureADServicePrincipalPolicy -Id $sp.ObjectId -RefObjectId $policy.Id
Write-Output ("New claims mapping policy '{0}' set for app '{1}'." -f $policy.DisplayName, $sp.DisplayName)
azure-active-directory single-sign-on azure-ad-b2c claims
2个回答
0
投票

MobilePhone
不可作为可选声明或通过声明映射政策使用。 
JobTitle
Department
。对于访问令牌,请确保将自己的应用程序定位为资源。例如:

https://login.microsoftonline.com/{tenant}/oauth2/authorize?client_id={app id}&resource={app id}

或者

https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?client_id={app id}&scope={app id}/.default

0
投票

首先,您必须获取访问令牌,然后调用 MS Graph API。您可以执行此查询。

# login
Connect-AzAccount

# get accessToken
$resource = "https://graph.microsoft.com"
$context = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile.DefaultContext
$accessToken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id.ToString(), $null, [Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never, $null, $resource).AccessToken

# URL of request REST API
$user_id = "{id | userPrincipalName}"
$manager_uri = "https://graph.microsoft.com/v1.0/users/" + $user_id + "/manager"
$other_uri = "https://graph.microsoft.com/v1.0/users/" + $user_id + "?$select=displayName,jobTitle,department,mobilePhone"

# get user's manager
Invoke-RestMethod -Method 'Get' -Uri $manager_uri -Headers @{ Authorization = "Bearer " + $accessToken }

# get displayName,jobTitle,department
Invoke-RestMethod -Method 'Get' -Uri $other_uri -Headers @{ Authorization = "Bearer " + $accessToken }

您将从门户中的Azure Active Directory->用户获取信息。

此外,您可以在 https://developer.microsoft.com/en-us/graph/graph-explorer 中测试响应。

https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/manager
https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}?$select=displayName,jobTitle,department,mobilePhone
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.